1# servicemanager - the Binder context manager 2type servicemanager, domain, mlstrustedsubject; 3type servicemanager_exec, system_file_type, exec_type, file_type; 4 5# Note that we do not use the binder_* macros here. 6# servicemanager is unique in that it only provides 7# name service (aka context manager) for Binder. 8# As such, it only ever receives and transfers other references 9# created by other domains. It never passes its own references 10# or initiates a Binder IPC. 11allow servicemanager self:binder set_context_mgr; 12allow servicemanager { 13 domain 14 -init 15 -vendor_init 16 -hwservicemanager 17 -vndservicemanager 18}:binder transfer; 19 20allow servicemanager service_contexts_file:file r_file_perms; 21 22allow servicemanager vendor_service_contexts_file:file r_file_perms; 23 24# nonplat_service_contexts only accessible on non full-treble devices 25not_full_treble(`allow servicemanager vendor_service_contexts_file:file r_file_perms;') 26 27add_service(servicemanager, service_manager_service) 28allow servicemanager dumpstate:fd use; 29allow servicemanager dumpstate:fifo_file write; 30 31# Check SELinux permissions. 32selinux_check_access(servicemanager) 33 34allow servicemanager kmsg_device:chr_file rw_file_perms; 35 36recovery_only(` 37 # Read VINTF files. 38 r_dir_file(servicemanager, rootfs) 39') 40